Content Management Systems and Methods Using Proxy Reencryption

1. A method for managing data performed by an electronic data access management system comprising a processor and a non-transitory computer-readable medium storing instructions that, when executed by the processor, cause the electronic data access management system to perform the method, the method comprising: receiving, from an electronic data service system, a protected reencryption program, an encrypted data access key encrypted using a public encryption key of the electronic data service system, and an identifier of electronic data associated with the encrypted data access key, the protected reencryption program comprising a protected private decryption key of the electronic data service system; receiving, from a user device, a data access request message, the data access request message comprising the identifier of the electronic data and a public encryption key of the user device; generating a reencrypted data access key using the protected reencryption program based on the encrypted data access key and the public encryption key of the user device, wherein generating the reencrypted data access key comprises: decrypting the encrypted data access key by the protected reencryption program to generate a data access key, and encrypting the data access key using the public encryption key of the user device to generate the reencrypted data access key, wherein decrypting the encrypted data access key to generate the data access key and encrypting the data access key to generate the reencrypted data access key are performed without exposing plaintext of the data access key to the electronic data access management system outside the protected reencryption program during execution of the protected reencryption program; generating a data access response associated with the electronic data, the data access response comprising the reencrypted data access key; and transmitting the data access response to the user device.

2. The method of claim 1, wherein the data access request message further comprises a signed message.

3. The method of claim 2, wherein the method further comprises: prior to generating the reencrypted data access key and the data access response, verifying a signature of the signed message.

4. The method of claim 3, wherein the signed message comprises a data access request message issued by the user device to the electronic data service system signed by the electronic data service system.

5. The method of claim 3, wherein verifying the signature of the signed message comprises verifying that the signed message has been signed by the electronic data service system.

6. The method of claim 1, wherein generating the reencrypted data access key comprises generating the reencrypted data access key without exposing the protected private decryption key of the electronic data service system to the electronic data access management system during execution of the protected reencryption program.

7. The method of claim 1, wherein the protected reencryption program comprises an obfuscated program.

8. The method of claim 7, wherein the protected reencryption program is obfuscated using indistinguishability obfuscation.

9. The method of claim 7, wherein the protected reencryption program is obfuscated using whitebox cryptographic obfuscation.

10. The method of claim 1, wherein the data access response further comprises one or more data access terms relating to use of the electronic data.

11. The method of claim 1, wherein the electronic data comprises protected content.

12. The method of claim 11, wherein the data access key comprises a content key.

13. The method of claim 1, wherein the protected reencryption program is associated with a system identifier associated with the user device.

14. The method of claim 13, wherein the method further comprises receiving the system identifier from the user device.

15. The method of claim 1, wherein the public encryption key of the user device is issued to the user device as part of a registration process.